Security and Freedom Through Encryption Act (SAFE Act)

The Electronic Privacy Information Center, EPIC, is a public interest research center in Washington, D.C which discusses privacy and cryptography, including in a legal context.

Cryptography is now embraced by the international security standard, ISO 17799, which devotes sections to both cryptography and legal compliance.

A BILL

To amend title 18, United States Code, to affirm the rights of
United States persons to use and sell encryption and to relax export
controls on encryption.

Be it enacted by the Senate and House of Representatives of
the United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

This Act may be cited as the `Security And Freedom through
Encryption (SAFE) Act'.

SEC. 2. SALE AND USE OF ENCRYPTION.

(a) IN GENERAL- Part I of title 18, United States Code, is amended
by inserting after chapter 123 the following new chapter:

`CHAPTER 125--ENCRYPTED WIRE AND ELECTRONIC INFORMATION

`2801. Definitions.

`2802. Freedom to use encryption.

`2803. Freedom to sell encryption.

`2804. Prohibition on mandatory key escrow.

`2805. Unlawful use of encryption in furtherance of a criminal
act.

`Sec. 2801. Definitions

`As used in this chapter--

`(1) the terms `person', `State', `wire communication',
`electronic communication', `investigative or law enforcement
officer', and `judge of competent jurisdiction' have the
meanings given those terms in section 2510 of this title;

`(2) the term `decrypt' means to retransform or unscramble
encrypted data, including communications, to its readable form;

`(3) the terms `encrypt', `encrypted', and `encryption' mean
the scrambling of wire communications, electronic
communications, or electronically stored information, using
mathematical formulas or algorithms in order to preserve the
confidentiality, integrity, or authenticity of, and prevent
unauthorized recipients from accessing or altering, such
communications or information;

`(4) the term `key' means the variable information used in a
mathematical formula, code, or algorithm, or any component
thereof, used to decrypt wire communications, electronic
communications, or electronically stored information, that has
been encrypted; and

`(5) the term `key recovery information' means information
that would enable obtaining the key of a user of encryption;

`(6) the term `plaintext access capability' means any method
or mechanism which would provide information in readable form
prior to its being encrypted or after it has been decrypted;

`(7) the term `United States person' means--

`(A) any United States citizen;

`(B) any other person organized under the laws of any
State, the District of Columbia, or any commonwealth,
territory, or possession of the United States; and

`(C) any person organized under the laws of any foreign
country who is owned or controlled by individuals or persons
described in subparagraphs (A) and (B).

`Sec. 2802. Freedom to use encryption

`Subject to section 2805, it shall be lawful for any person within
any State, and for any United States person in a foreign country,
to use any encryption, regardless of the encryption algorithm
selected, encryption key length chosen, or implementation
technique or medium used.

`Sec. 2803. Freedom to sell encryption

`Subject to section 2805, it shall be lawful for any person within
any State to sell in interstate commerce any encryption,
regardless of the encryption algorithm selected, encryption key
length chosen, or implementation technique or medium used.

`Sec. 2804. Prohibition on mandatory key escrow

`(a) GENERAL PROHIBITION- Neither the Federal Government nor a
State may require that, or condition any approval on a requirement
that, a key, access to a key, key recovery information, or any
other plaintext access capability be--

`(1) built into computer hardware or software for any purpose;

`(2) given to any other person, including a Federal
Government agency or an entity in the private sector that may
be certified or approved by the Federal Government or a State
to receive it; or

`(3) retained by the owner or user of an encryption key or
any other person, other than for encryption products for use by
the Federal Government or a State.

`(b) PROHIBITION ON LINKAGE OF DIFFERENT USES OF ENCRYPTION-
Neither the Federal Government nor a State may--

`(1) require the use of encryption products, standards, or
services used for confidentiality purposes, as a condition of
the use of such products, standards, or services for
authenticity or integrity purposes; or

`(2) require the use of encryption products, standards, or
services used for authenticity or integrity purposes, as a
condition of the use of such products, standards, or services
for confidentiality purposes.

`(c) EXCEPTION FOR ACCESS FOR LAW ENFORCEMENT PURPOSES-
Subsection (a) shall not affect the authority of any investigative
or law enforcement officer, or any member of the intelligence
community as defined in section 3 of the National Security Act of
1947 (50 U.S.C. 401a), acting under any law in effect on the
effective date of this chapter, to gain access to encrypted
communications or information.

`Sec. 2805. Unlawful use of encryption in furtherance of a
criminal act

`(a) ENCRYPTION OF INCRIMINATING COMMUNICATIONS OR INFORMATION
UNLAWFUL- Any person who, in the commission of a felony under a
criminal statute of the United States, knowingly and willfully
encrypts incriminating communications or information relating to
that felony with the intent to conceal such communications or
information for the purpose of avoiding detection by law
enforcement agencies or prosecution--

`(1) in the case of a first offense under this section, shall
be imprisoned for not more than 5 years, or fined in the amount
set forth in this title, or both; and

`(2) in the case of a second or subsequent offense under
this section, shall be imprisoned for not more than 10 years,
or fined in the amount set forth in this title, or both.

`(b) USE OF ENCRYPTION NOT A BASIS FOR PROBABLE CAUSE- The use
of encryption by any person shall not be the sole basis for
establishing probable cause with respect to a criminal offense or
a search warrant.'.

(b) CONFORMING AMENDMENT- The table of chapters for part I of
title 18, United States Code, is amended by inserting after the
item relating to chapter 123 the following new item:

2801'.

SEC. 3. EXPORTS OF ENCRYPTION.

(a) AMENDMENT TO EXPORT ADMINISTRATION ACT OF 1979- Section 17 of
the Export Administration Act of 1979 (50 U.S.C. App. 2416) is
amended by adding at the end thereof the following new subsection:

`(g) CERTAIN CONSUMER PRODUCTS, COMPUTERS, AND RELATED
EQUIPMENT-

`(1) GENERAL RULE- Subject to paragraphs (2) and (3), the
Secretary shall have exclusive authority to control exports of
all computer hardware, software, computing devices, customer
premises equipment, communications network equipment, and
technology for information security (including encryption),
except that which is specifically designed or modified for
military use, including command, control, and intelligence
applications.

`(2) ITEMS NOT REQUIRING LICENSES- After a one-time, 15-day
technical review by the Secretary, no export license may be
required, except pursuant to the Trading with the enemy Act or
the International Emergency Economic Powers Act (but only to
the extent that the authority of such Act is not exercised to
extend controls imposed under this Act), for the export or
reexport of--

`(A) any computer hardware or software or computing device,
including computer hardware or software or computing devices
with encryption capabilities--

`(i) that is generally available;

`(ii) that is in the public domain for which copyright
or other protection is not available under title 17,
United States Code, or that is available to the public
because it is generally accessible to the interested
public in any form; or

`(iii) that is used in a commercial, off-the-shelf,
consumer product or any component or subassembly designed
for use in such a consumer product available within the
United States or abroad which--

`(I) includes encryption capabilities which are
inaccessible to the end user; and

`(II) is not designed for military or intelligence
end use;

`(B) any computing device solely because it incorporates
or employs in any form--

`(i) computer hardware or software (including computer
hardware or software with encryption capabilities) that
is exempted from any requirement for a license under
subparagraph (A); or

`(ii) computer hardware or software that is no more
technically complex in its encryption capabilities than
computer hardware or software that is exempted from any
requirement for a license under subparagraph (A) but is
not designed for installation by the purchaser;

`(C) any computer hardware or software or computing
device solely on the basis that it incorporates or employs
in any form interface mechanisms for interaction with other
computer hardware or software or computing devices,
including computer hardware and software and computing
devices with encryption capabilities;

`(D) any computing or telecommunication device which
incorporates or employs in any form computer hardware or
software encryption capabilities which--

`(i) are not directly available to the end user; or

`(ii) limit the encryption to be point-to-point from
the user to a central communications point or link and
does not enable end-to-end user encryption;

`(E) technical assistance and technical data used for the
installation or maintenance of computer hardware or software
or computing devices with encryption capabilities covered
under this subsection; or

`(F) any encryption hardware or software or computing
device not used for confidentiality purposes, such as
authentication, integrity, electronic signatures,
nonrepudiation, or copy protection.

`(3) COMPUTER HARDWARE OR SOFTWARE OR COMPUTING DEVICES WITH
ENCRYPTION CAPABILITIES- After a one-time, 15-day technical
review by the Secretary, the Secretary shall authorize the
export or reexport of computer hardware or software or
computing devices with encryption capabilities for nonmilitary
end uses in any country--

`(A) to which exports of computer hardware or software or
computing devices of comparable strength are permitted for
use by financial institutions not controlled in fact by
United States persons, unless there is substantial evidence
that such computer hardware or software or computing devices
will be--

`(i) diverted to a military end use or an end use
supporting international terrorism;

`(ii) modified for military or terrorist end use; or

`(iii) reexported without any authorization by the
United States that may be required under this Act; or

`(B) if the Secretary determines that a computer hardware
or software or computing device offering comparable security
is commercially available outside the United States from a
foreign supplier, without effective restrictions.

`(4) DEFINITIONS- As used in this subsection--

`(A)(i) the term `encryption' means the scrambling of wire
communications, electronic communications, or electronically
stored information, using mathematical formulas or
algorithms in order to preserve the confidentiality,

integrity, or authenticity of, and prevent unauthorized recipients
from accessing or altering, such communications or information;

`(ii) the terms `wire communication' and `electronic
communication' have the meanings given those terms in section 2510
of title 18, United States Code;

`(B) the term `generally available' means, in the case of
computer hardware or computer software (including computer
hardware or computer software with encryption capabilities)--

`(i) computer hardware or computer software that is--

`(I) distributed through the Internet;

`(II) offered for sale, license, or transfer to any
person without restriction, whether or not for
consideration, including, but not limited to,
over-the-counter retail sales, mail order transactions,
phone order transactions, electronic distribution, or sale
on approval;

`(III) preloaded on computer hardware or computing
devices that are widely available for sale to the public; or

`(IV) assembled from computer hardware or computer
software components that are widely available for sale to
the public;

`(ii) not designed, developed, or tailored by the
manufacturer for specific purchasers or users, except that any
such purchaser or user may--

`(I) supply certain installation parameters needed by the
computer hardware or software to function properly with the
computer system of the user or purchaser; or

`(II) select from among options contained in the computer
hardware or computer software; and

`(iii) with respect to which the manufacturer of that
computer hardware or computer software--

`(I) intended for the user or purchaser, including any
licensee or transferee, to install the computer hardware or
software and has supplied the necessary instructions to do
so, except that the manufacturer of the computer hardware or
software, or any agent of such manufacturer, may also
provide telephone or electronic mail help line services for
installation, electronic transmission, or basic operations;
and

`(II) the computer hardware or software is designed for
such installation by the user or purchaser without further
substantial support by the manufacturer;

`(C) the term `computing device' means a device which
incorporates one or more microprocessor-based central processing
units that can accept, store, process, or provide output of data;

`(E) the term `customer premises equipment' means equipment
employed on the premises of a person to originate, route, or
terminate communications;

`(F) the term `technical assistance' includes instruction,
skills training, working knowledge, consulting services, and the
transfer of technical data;

`(G) the term `technical data' includes blueprints, plans,
diagrams, models, formulas, tables, engineering designs and
specifications, and manuals and instructions written or recorded
on other media or devices such as disks, tapes, or read-only
memories; and

`(H) the term `technical review' means a review by the
Secretary of computer hardware or software or computing devices
with encryption capabilities, based on information about the
product's encryption capabilities supplied by the manufacturer,
that the computer hardware or software or computing device works
as represented.'.

(b) NO REINSTATEMENT OF EXPORT CONTROLS ON PREVIOUSLY DECONTROLLED
PRODUCTS- Any encryption product not requiring an export license
as of the date of enactment of this Act, as a result of
administrative decision or rulemaking, shall not require an export
license on or after such date of enactment.

(c) APPLICABILITY OF CERTAIN EXPORT CONTROLS-

(1) IN GENERAL- Nothing in this Act shall limit the authority
of the President under the International Emergency Economic
Powers Act, the Trading with the enemy Act, or the Export
Administration Act of 1979, to--

(A) prohibit the export of encryption products to countries
that have been determined to repeatedly provide support for
acts of international terrorism; or

(B) impose an embargo on exports to, and imports from, a
specific country.

(2) SPECIFIC DENIALS- The Secretary may prohibit the export
of specific encryption products to an individual or
organization in a specific foreign country identified by the
Secretary, if the Secretary determines that there is
substantial evidence that such encryption products will be used
for military or terrorist end-use.

(3) DEFINITION- As used in this subsection and subsection
(b), the term `encryption' has the meaning given that term in
section 17(g)(5)(A) of the Export Administration Act of 1979,
as added by subsection (a) of this section.

(d) CONTINUATION OF EXPORT ADMINISTRATION ACT- For purposes of
carrying out the amendment made by subsection (a), the Export
Administration Act of 1979 shall be deemed to be in effect.

SEC. 4. EFFECT ON LAW ENFORCEMENT ACTIVITIES.

(a) COLLECTION OF INFORMATION BY ATTORNEY GENERAL- The Attorney
General shall compile, and maintain in classified form, data on
the instances in which encryption (as defined in section 2801 of
title 18, United States Code) has interfered with, impeded, or
obstructed the ability of the Department of Justice to enforce the
criminal laws of the United States.

(b) AVAILABILITY OF INFORMATION TO THE CONGRESS- The
information compiled under subsection (a), including an
unclassified summary thereof, shall be made available, upon
request, to any Member of Congress.